Skip to main content

Caldera

9 CVEs product

Monthly

CVE-2022-40606 MEDIUM This Month

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Caldera
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-41139 MEDIUM POC This Month

MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Caldera
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-40605 MEDIUM This Month

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Caldera
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2020-14462 MEDIUM POC This Month

CALDERA 2.7.0 allows XSS via the Operation Name box. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Caldera
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-10807 MEDIUM PATCH This Month

auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Caldera
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2014-2936 HIGH POC This Week

The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Caldera
NVD
CVSS 2.0
7.5
EPSS
0.5%
CVE-2014-2935 CRITICAL Act Now

costview3/xmlrpc_server/xmlrpc.php in CostView in Caldera 9.20 allows remote attackers to execute arbitrary commands via shell metacharacters in a methodCall element in a PHP XMLRPC request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection PHP Caldera
NVD
CVSS 2.0
10.0
EPSS
1.5%
CVE-2014-2934 HIGH POC This Week

Multiple SQL injection vulnerabilities in Caldera 9.20 allow remote attackers to execute arbitrary SQL commands via the tr parameter to (1) costview2/jobs.php or (2) costview2/printers.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Caldera
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
0.6%
CVE-2014-2933 MEDIUM This Month

Directory traversal vulnerability in dirmng/index.php in Caldera 9.20 allows remote attackers to access arbitrary directories via a crafted pathname. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Caldera
NVD
CVSS 2.0
5.0
EPSS
0.2%
EPSS 0% CVSS 6.1
MEDIUM This Month

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Caldera
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Caldera
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Caldera
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

CALDERA 2.7.0 allows XSS via the Operation Name box. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Caldera
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Caldera
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

costview3/xmlrpc_server/xmlrpc.php in CostView in Caldera 9.20 allows remote attackers to execute arbitrary commands via shell metacharacters in a methodCall element in a PHP XMLRPC request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection PHP Caldera
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Multiple SQL injection vulnerabilities in Caldera 9.20 allow remote attackers to execute arbitrary SQL commands via the tr parameter to (1) costview2/jobs.php or (2) costview2/printers.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Caldera
NVD Exploit-DB
EPSS 0% CVSS 5.0
MEDIUM This Month

Directory traversal vulnerability in dirmng/index.php in Caldera 9.20 allows remote attackers to access arbitrary directories via a crafted pathname. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Caldera
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy